Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Hundreds of Industrial Organizations Received Sunburst Malware in SolarWinds Attack

Hundreds of industrial organizations have apparently received a piece of malware named Sunburst as part of the supply chain attack that hit IT management and monitoring firm SolarWinds last year, Kaspersky’s ICS CERT unit reported on Tuesday.

Hundreds of industrial organizations have apparently received a piece of malware named Sunburst as part of the supply chain attack that hit IT management and monitoring firm SolarWinds last year, Kaspersky’s ICS CERT unit reported on Tuesday.

SolarWinds’ analysis of the attack revealed that up to 18,000 of its customers may have received trojanized updates for its Orion monitoring product. These updates contained the Sunburst backdoor, which gave the attackers access to victims’ systems, allowing them to deploy other payloads to organizations that represented an interest.

An analysis of command and control (C&C) mechanisms used by the Sunburst malware, specifically DNS responses, has allowed researchers to determine which organizations may have received Sunburst and which might have been breached further by the SolarWinds hackers.

Kaspersky’s industrial cybersecurity researchers analyzed a list of nearly 2,000 domains impacted by Sunburst and estimated that roughly 32% of them were associated with industrial organizations.

Learn More About Threats to Industrial Systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits Virtual Event Series

A majority of them are organizations in the manufacturing sector, followed by utilities, construction, transportation and logistics, oil and gas, mining, and energy. Kaspersky says they are located in various countries in the Americas, Europe, Asia and Africa, including the U.S., Canada, Iran, the Netherlands, Russia, Saudi Arabia and Uganda.

Industrial sectors hit by Sunburst malware

The cybersecurity firm has determined that roughly 200 of its customers received the malicious SolarWinds updates, including more than 20 in industrial sectors.

Continuous Updates: Everything You Need to Know About the SolarWinds Attack

Advertisement. Scroll to continue reading.

“The SolarWinds software is highly integrated into many systems around the globe in different industries and, as a result, the scale of the Sunburst attack is unparalleled – a lot of organizations that had been affected might have not been of interest to the attackers initially,” said Maria Garnaeva, senior security researcher at Kaspersky.

“While we do not have evidence of a second-stage attack among these victims, we should not rule out the possibility that it may come in the future. Therefore, it is crucial for organizations that may be victims of the attack to rule out the infection and make sure they have the right incident response procedures in place,” Garnaeva added.

Three cybersecurity firms confirmed this week that they were impacted to some extent by the activities of the SolarWinds hackers, including Mimecast, Qualys, and Fidelis Cybersecurity.

Related: SolarLeaks: Files Allegedly Obtained in SolarWinds Hack Offered for Sale

Related: Class Action Lawsuit Filed Against SolarWinds Over Hack

Related: SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.